FOR526: Memory Forensics In-Depth
Digital Forensics and Incident Response (DFIR) professionals view the acquisition and analysis of physical memory as critical to the success of an investigation, be it a criminal case, employee policy violation, or enterprise intrusion. Investigators who do not look at volatile memory are leaving evidence on the table. The valuable contents of RAM hold evidence of user actions as well as evil processes and furtive behaviors implemented by malicious code. It is this evidence that often proves to be the smoking gun that unravels the story of what happened on a system.
FOR526 Memory Forensics In-Depth provides the critical skills necessary for digital forensics examiners and incident responders to proficiently analyze captured memory images and live response audits. The six-day course uses the most effective freeware and open-source tools in the industry today and provides a deeper understanding of how these tools work. It is a critical course for any serious DFIR investigator who wants to tackle advanced forensics, trusted insider, and incident response cases.
Just as it is crucial to understand disk and registry structures to substantiate findings in traditional system forensics, it is equally critical to understand memory structures. Having in-depth knowledge of Windows memory internals allows the examiner to access target data specific to the needs of the case at hand.
There is an arms race between analysts and attackers. Modern malware and post-exploitation modules increasingly employ self-defense techniques that include more sophisticated rootkit and anti-memory analysis mechanisms that destroy or subvert volatile data. Examiners must have a deeper understanding of memory internals in order to discern the intentions of attackers or rogue trusted insiders. This course draws on best practices and recommendations from experts in the field to guide DFIR professionals through acquisition, validation, and memory analysis with hands-on, real-world, and malware-laden memory images. FOR526 Memory Forensics In-Depth will teach you:
- Proper Memory Acquisition: Demonstrate targeted memory capture ensuring data integrity and combating anti-acquisition techniques.
- How to Find Evil in Memory: Detect rogue, hidden, and injected processes, kernel-level rootkits, Dynamic Link Libraries (DLL) hijacking, process hollowing, and sophisticated persistence mechanisms.
- Effective Step-by-Step Memory Analysis Techniques: Use process timelining, high-low level analysis, and walking the Virtual Address Descriptors (VAD) tree to spot anomalous behavior.
- Best Practice Techniques: Learn when to implement triage, live system analysis, and alternative acquisition techniques, and how to devise custom parsing scripts for targeted memory analysis.
Remember: Malware can hide, but it must run. This "malware paradox" is the key to understanding that while intruders are becoming more advanced with anti-forensic tactics and techniques, it is impossible for them to hide their footprints completely from a skilled incident responder performing memory analysis. FOR526 will ensure that you and your team are ready to respond to the challenges inherent in DFIR by using cutting-edge memory forensics tools and techniques.
MALWARE CAN HIDE, BUT IT MUST RUN
|FOR526.1: Foundations in Memory Analysis & Acquisition|
Simply put, memory analysis has become a required skill for all incident responders and digital forensics examiners. Regardless of the type of investigation, system memory and its contents often expose the "first hit" - the evidential thread that, when pulled, unravels the whole picture of what happened on the target system. Where is the malware? How did the machine get infected? Where did the attacker move laterally? Or what did the disgruntled employee do on the system? What lies in physical memory can provide answers to all of these questions and more.
This section was designed to convince attendees of the relevance and widening application of memory forensics. It is an easy sell in today's world of increasing encryption, burgeoning media storage capacity, and advanced backdoor rootkits. We provide a six-step investigative methodology for both user and malware investigations that will guide an examiner through the exploration of a memory capture.
Memory forensics is the study of operating systems. Operating systems, in turn, work extensively with the processor and its architecture. Therefore, before we can begin a meaningful analysis of the operating system, we must understand how the underlying components work and fit together. This section explains a number of technologies that are used in modern computers and how they have evolved to where they are today. We also explain the virtual to physical memory translation process across the various modern system architectures.
And in the beginning, there is acquisition. Acquisition tools are easy to use but few understand the underlying mechanisms behind them. On Day One of FOR526, we acquire physical memory from a compromised virtual machine using two different methods. In comparing triage using audit collections to full memory capture, we discuss the applications of both, as well as when to use each technique in an investigation.
CPE/CMU Credits: 6
Why Memory Forensics?
The Ubuntu SIFT Workstation
The Volatility Framework
Triage versus Full Memory Acquisition
Physical Memory Acquisition
|FOR526.2: Unstructured Analysis & Process Exploration|
Structured memory analysis using tools that identify and interpret operating system structures is certainly powerful. However, many remnants of previously allocated memory remain available for analysis that cannot be parsed through structure identification. What tools are best for processing fragmented data? Unstructured analysis tools! They neither know nor care about operating system structures. Instead, they examine data, extracting findings using pattern matching. You will learn how to use Bulk Extractor to parse memory images and extract investigative leads such as e-mail addresses, network packets, and more.
Many forensic investigators perform physical memory analysis. But how often do you consider page file analysis to assist in memory investigations? Carving the page file using traditional filesystem carving tools is usually a recipe for failure and false positives. You will learn why typical file carving tools fail and how to parse the page file using YARA for signature matching. You will also learn how to create custom YARA signatures to detect downloaded executable files and extract them from the page file.
Most users are familiar with processes on a Windows system, but not necessarily with how they work under the hood. In this section, we will talk about the operating system components that make up a process, how they fit together, and how they can be exploited by malicious software. We will start with the basics of each process, how it was started, where the executable lives, and what command line options were used. Next we will look at the Dynamic Link Libraries (DLLs) used by a program and how they are found and loaded by the operating system.
Many forensics investigators have used some Volatility plugins (and by now, you will have too). But what happens when there are no plugins written to perform the investigative task required? In this module, you will learn to use volshell to examine OS structures in memory, directly applying this knowledge to solve a real-world problem. You need to extract an executable module from memory for analysis, but the header of the module is paged to disk, concealing critical file alignment data. What do you do? You will learn how to examine the memory that makes up the module and extract the portions in memory to disk. Intractable problem solved!
CPE/CMU Credits: 6
Unstructured Memory Analysis
Page File Analysis
Exploring Process Structures
List Walking and Scanning
Exploring Process Relationships
|FOR526.3: Investigating the User via Memory Artifacts|
An incident responder (IR) is often asked to triage a system because of a network intrusion detection system alert. The Security Operation Center makes the call and requires more information due to outbound network traffic from an endpoint and the IR team is asked to respond. In this section, we cover how to enumerate active and terminated TCP connections - selecting the right plugin for the job based on the OS version.
As we move into the internal structures of a process, virtual address descriptors hold the key to what is contained in the process user space memory section. Spotting injected code relies on our ability to analyze what is "supposed to be" in these sections versus what actually is there. Attendees will become familiar with dance moves like "VADWalk" and "VADdump" - spotting some DLL injection along the way.
The central theme of Day 3 is user artifact analysis, which makes it a great day to cover the registry. In file system forensics, the registry is a wealth of information on system, software, and user activity. With copies of the registry hives loaded into physical memory, we are able to achieve the same detailed analysis, including the volatile hive and keys not found on the file system. Volatility plugins designed specifically for targeting user behavior and evidence of execution are included in our practical application of registry parsing via memory.
Also in this module, you will learn to use the Windows debugger (Windbg) to perform memory analysis. Using the debugger, you will be able to dump plain text passwords that Windows stores in memory for logged-on users. Now you will not need a GPU farm to crack passwords from dumped hashes. Why would a forensics examiner want the suspect's passwords? Because suspects (just like everyone else) reuse passwords! Remember that Truecrypt volume you found on the suspect's machine? Or the encrypted zip file? What do you think the odds are that they used the same password (or an easy permutation) for both?
CPE/CMU Credits: 6
Virtual Address Descriptors
Detecting Injected Code
Analyzing the Registry via Memory Analysis
User Artifacts in Memory
|FOR526.4: Internal Memory Structures (Part I)|
Day 4 focuses on introducing some internal memory structures (such as drivers), Windows memory table structures, and extraction techniques for portable executables. As we come to the final steps in our investigative methodology, "Spotting Rootkit Behaviors" and "Extracting Suspicious Binaries," it is important to emphasize again the "Rootkit Paradox." The more malicious code attempts to hide itself, the more abnormal and seemingly suspicious it appears. We will use this concept to evaluate some of the most common structures in Windows memory for hooking, the IDTs and SSDTs.
Once we have deemed something suspicious, it warrants further detailed analysis. Extraction techniques for PE executable files have already been introduced for drivers (moddump) and dlls (dlldump). In this section, we introduce two methods for extracting an executable, both making use of the PE Header in order to reconstruct the extract PE file as close as it can be to that of the original "on-disk" file. Some obstacles such as PE Corruption are discussed here, along with some advanced work-around techniques, such as dumping memory sections via volshell.
CPE/CMU Credits: 6
Interrupt Descriptor Tables
System Service Descriptor Tables
Direct Kernel Object Manipulation
|FOR526.5: Internal Memory Structures (Part II) and Memory Analysis Challenges|
Sometimes an investigator's luck runs out and he or she does not complete a memory acquisition before the target system is taken offline or shutdown. In these cases, where else can system memory captures be found? Hibernation files and Windows crashdump files can be valuable sources of information, regardless of whether or not you find yourself with a current memory capture. This section covers the structure of the hibernation and crashdump files, as well as how to convert both into raw memory images that can easily be parsed using Volatility and other tools in our memory forensics weapons arsenal. In addition, we will analyze a crash dump file, discovering just how Windows responds and what information is captured when a system crashes.
This section will also present a number of challenges for the memory forensics examiner. We do not want to spoil all of the surprises by listing them in the outline, but we can give you a sense of what you will be working on. These memory images may contain some kind of malicious software or data of interest. Each challenge will provide a little information to go on. (As with real-world examinations, of course, it's never enough information!) Your job will be to determine if there is anything of interest, and if so, what it is.
CPE/CMU Credits: 6
Crash Dump Files
Memory Analysis Challenges
|FOR526.6: Final Day Memory Analysis Challenges|
This final section provides students with a direct memory forensics challenge that makes use of the SANS NetWars Tournament platform. Your memory analysis skills are put to the test with a variety of hands-on scenarios involving hibernation files, Crash Dump files, and raw memory images, reinforcing techniques covered in the first five sections of the course. These challenges strengthen the student's ability to respond to typical and atypical memory forensics challenges from all types of cases, from investigating the user to isolating the malware. By applying the techniques learned earlier in the course, students consolidate their knowledge and can shore up skill areas where they feel they need additional practice.
CPE/CMU Credits: 6
The students who score the highest on the multi-platform memory forensics challenge will be awarded the coveted SANS Digital Forensics Lethal Forensicator Coin. Game on!
!!IMPORTANT - BRING YOUR OWN SYSTEM CONFIGURED USING THESE DIRECTIONS!!
In the class, you will receive a USB containing the Ubuntu SIFT Workstation Virtual Machine appliance with updates and evidence files that are specific to the FOR526 Windows Memory Analysis In-Depth class. In addition, you will receive a custom Windows 8.1 x64 workstation virtual machine and license.
In order to successfully complete the exercises in the class, you can use any 64-bit version of Windows, MAC OSX, or Linux as your core operating system that also can install and run VMware virtualization products.
It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop. VMware provides a free tool for Windows and Linux that will detect whether or not your host supports 64-bit guest virtual machines. For further troubleshooting, this article also provides good instructions for Windows users to determine more about the CPU and OS capabilities. For Macs, please use this support page from Apple to determine 64-bit capability.
Please download and install VMware Workstation 10, VMware Fusion 6.0, or VMware Player 6.0 or higher versions on your system prior to class beginning. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their Web site.
VMware Player is a free download that does not need a commercial license. Most students find VMware Player adequate for the course.
MANDATORY FOR526 SYSTEM HARDWARE REQUIREMENTS:
MANDATORY FOR526 SYSTEM SOFTWARE REQUIREMENTS:
PLEASE INSTALL THE FOLLOWING SOFTWARE PRIOR TO CLASS:
IN SUMMARY, BEFORE YOU BEGIN THE COURSE YOU SHOULD:
If you have additional questions about the laptop specifications, please contact firstname.lastname@example.org.
|Who Should Attend|
|You Will Be Able To|
|Press & Reviews|
"Very valuable for what my group is doing at JPL. With the acquisition of MIR and acquiring RAM in first response, this is exactly the skill set we need to master." - Rick Smith, Jet Propulsion Lab
"I got everything I needed from this course and Alissa was a phenomenal instructor!" - Matt Myrick - LLNL
"Excellent information - eye opening as it applies to traditional forensics." - Greg Caouette, Kroll
"I was able to take the techniques learned in this class and break open a case I was working, before even heading home." - Anonymous
"The training opened my eyes for the need to collect memory images as well as physical images for single computer analysis such as theft of IP or other employee investigations." - Greg Caouette, Kroll
"Alissa brings memory dumps back to life." - Stephanie Denis, Canadian Police College
"Typically by day 3 on a SANS course my brain is fried and I'm seriously slowing down. So today when I grabbed Alissa to explain to me VAD Analysis and she walked through it all with me until I understand it. Well I guess you could say that the type of professionalism and dedication that makes me rate SANS so highly." - Sheldon J.
"The SANS Institute is currently the leader in the commercial IR and computer forensic training market. They have a large number of quality courses." - Luttgens, Jason; Pepe, Matthew; Mandia, Kevin. Incident Response & Computer Forensics, Third Edition - July 2014
Take your learning beyond the classroom. Explore our site network for additional resources related to this course's subject matter.